Azure AD Shortcuts

1 minute read

NOTE: Check out The new and improved version of this.

I’m a command line guy and hate having to click to get to various Azure AD pages. Over time I created these shortcuts and thought you might find them helpful.

Here is how it works. Open a new tab and type{command}

Where shortcut is one of the commands below. Command Portal Blade ca Conditional Access pim Privileged Identity Management users Users groups Groups devices Devices apps Enterprise Applications appreg Application Registrations auth Authentication Methods Policies legacymfa Legacy MFA guests Guest Access Settings logs Sign in Logs xtap Cross Tenant Access Settings roles Azure AD Roles sspr Password Reset security Security mfaunblock MFA Unblock reviews Access Reviews score Secure Score license Licenses synclog AAD Connect Sync Errors adfslog ADFS Log consent Consents and Permissions support Support list List all these shortcuts

If you liked those here are some of my favourite Identity related shortcuts. Page Azure AD Portal Self Service Password Reset My Security My Apps My Account My Groups My Access Packages My Access Packages Alternative for My Security Graph Explorer Intune

Have I missed anything? Have new suggestions? Let me know at

Graph PowerShell Conversion Analyzer

1 minute read

Screenshot of Graph PowerShell Analyzer

Hey folks, I took part in a hackathon last week and built the Graph PowerShell Conversion Analyzer. Hopefully, this will help a bit as you upgrade your AzureAD & MSOnline PowerShell scripts to Graph PowerShell.

It’s very rough right now but I would love to hear your feedback.

Try it out at

You start by pasting in one of your old scripts that you want to upgrade to Graph PowerShell and clicking the Analyze button.

This will generate a report of all the Azure AD PowerShell and MSOnline commands that were found along with a mapping to its corresponding Graph PowerShell command. The sample generated will try to map the parameters to the new command.

This is where I still need to do a lot more work to make it really useful.

Screenshot of Analysis Report

Where possible you also get direct links to both the Graph PowerShell command reference as well as the Graph API reference (which usually has more relevant info).

No more hunting around and searching the docs!

Screenshot showing links to the docs

The last bit is where you the community can really help us and each other out. We’ve started an open repository of sample Graph PowerShell scripts at

We would love to make this the largest collection of Graph PowerShell sample scripts. It’s open to everyone to contribute so please share your scripts (even one-liners).

Screenshot of the Graph samples community

Let me know what you think. If you have any ideas on how this can be improved I’m all ears!

Get-MgUser_List1: Expect simple name=value query, but observe property 'assignedLicenses' of complex type 'AssignedLicense'.

less than 1 minute read

Are you seeing this message when trying to get user license information using the Graph API.

_Expect simple name=value query, but observe property ‘assignedLicenses’ of complex type ‘AssignedLicense’.

     Get-MgUser -Filter 'assignedLicenses/$count eq 0'
    Get-MgUser_List1: Expect simple name=value query, but observe property 'assignedLicenses' of complex type 'AssignedLicense'.

The fix is quite simple. Set the ConsistencyLevel header to eventual and pass in a variable to store the count of the result set and you are good to go.

     Get-MgUser -Filter 'assignedLicenses/$count eq 0' -ConsistencyLevel eventual -CountVariable licensedUserCount -All
    Id                                   DisplayName     Mail                           UserPrincipalName
    --                                   -----------     ----                           -----------------
    1468b68b-8536-4bc5-ab1f-6014175b836d merill-fdo…
    160f8064-a20c-4236-bdf4-3393003e916b Ezra Brand         …
    37e5a3d1-f92b-4a12-bb35-91bf80969810 Joshua Sal …
    5c8537e4-7d7f-4920-a921-382d91fa53fd Fake Damain  …
    640885de-9652-4fb2-8a87-963cc2f599a0 Chris Green…

Azure AD Nudge (Authenticator registration campaign) failing to prompt users

1 minute read

Getting users to go to the page and set up the Authenticator app for MFA is not an easy task.

Azure AD’s ‘Nudge’ feature allows you to run a Microsoft Authenticator registration campaign that interrupts a user signing in with SMS and nudges them to set up the Authenticator app.

If you set this up but are not seeing users being nudged/prompted with the ‘Improve your sign-ins’ message its most probably because you have a conditional access policy for the ‘Register security information’ page.

The nudge screen will not be displayed if a user’s sign in is in scope of a conditional access policy that blocks access to the “Register security information” page.

Let’s take for example you have a conditional access policy that blocks users from accessing the ‘Register security information’ page over the internet and limits access to your company’s corporate (local area network).

When a user tries signing in over the internet and uses SMS they will not be shown the nudge (Improve your sign-ins) screen.

Let’s say for arguments sake if Azure AD were to send them to the page where they can set up security info. If we allowed the user to set up new auth methods it would bypass your conditional access policy defined above. Alternatively, it wouldn’t be a pleasant experience if we redirected the user to the nudge screen and then showed them a CA policy error when they tried to set up a new auth method.

Instead, we simply avoid showing the nudge prompt if the current sign-in is not in scope for the ‘Register security info’ conditional access policy.

Hope that makes sense.

AzureAD Restricted Access - Guest Permission Level

1 minute read

ICYMI We introduced a new guest permission level in Azure AD that restricts what guests can view about other directory objects in your tenant.

Screenshot showing table of guest permission levels with new one from Restricted access (new) = Guests can't see membership of any groups

When guest access is restricted, guests can view only their own user profile. Permission to view other users isn’t allowed even if the guest is searching by UserPrincipalName or objectId. Restricted access also restricts guest users from seeing the membership of groups they’re in

Screenshot from Azure Portal showing the new guest user access restriction option. Including "Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)"

Here are some before/after experiences for Guests. This is from the My Groups page (accessed from ). The guest goes from being able to see the names and email addresses of other guests in the group to the Groups view being disabled for them.


Similarly, guests with restricted access are also blocked from being able to see a list of groups they are members of.


Finally, PowerShell. By default, guests with limited access will be able to get a list of group members and even traverse up the org chart by looking up managers.

Screenshot of PowerShell commands showing what guests can see.

Restricted access blocks these commands from being run.

Screenshot of PowerShell cmdlets to get-azureadgroupmember, get-azureaduser cmdlets returning Request denied error messages.

This doc has a neat table summarizing the different access levels. Default user permissions - Azure Active Directory

To learn more about the restricted permission, supported apps and config details see Restrict guest user access permissions - Azure Active Directory

If you want to learn how to restrict PowerShell access for guests while staying with ‘Limited access’, that’s a post for another day.

BTW In Teams

Limited Access = Guests can search any user in the tenant by UPN/email and chat with them.

Restricted Access = Guests can only search and chat with users that are in the team/group(s) they have been invited to. They cannot lookup & chat with other users in the tenant